suricata
decode-erspan.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Decodes ERSPAN Types I and II
31  */
32 
33 #include "suricata-common.h"
34 #include "suricata.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 #include "decode-erspan.h"
38 
39 #include "util-validate.h"
40 #include "util-unittest.h"
41 #include "util-debug.h"
42 
43 /**
44  * \brief Functions to decode ERSPAN Type I and II packets
45  */
46 
47 /*
48  * \brief ERSPAN Type I was configurable in 5.0.x but is no longer configurable.
49  *
50  * Issue a warning if a configuration setting is found.
51  */
52 void DecodeERSPANConfig(void)
53 {
54  int enabled = 0;
55  if (ConfGetBool("decoder.erspan.typeI.enabled", &enabled) == 1) {
56  SCLogWarning("ERSPAN Type I is no longer configurable and it is always"
57  " enabled; ignoring configuration setting.");
58  }
59 }
60 
61 /**
62  * \brief ERSPAN Type I
63  */
64 int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
65  const uint8_t *pkt, uint32_t len)
66 {
67  StatsIncr(tv, dtv->counter_erspan);
68 
69  return DecodeEthernet(tv, dtv, p, pkt, len);
70 }
71 
72 /**
73  * \brief ERSPAN Type II
74  */
75 int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
76 {
77  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
78 
79  StatsIncr(tv, dtv->counter_erspan);
80 
81  if (len < sizeof(ErspanHdr)) {
82  ENGINE_SET_EVENT(p,ERSPAN_HEADER_TOO_SMALL);
83  return TM_ECODE_FAILED;
84  }
85  if (!PacketIncreaseCheckLayers(p)) {
86  return TM_ECODE_FAILED;
87  }
88 
89  const ErspanHdr *ehdr = (const ErspanHdr *)pkt;
90  uint16_t version = SCNtohs(ehdr->ver_vlan) >> 12;
91  uint16_t vlan_id = SCNtohs(ehdr->ver_vlan) & 0x0fff;
92 
93  SCLogDebug("ERSPAN: version %u vlan %u", version, vlan_id);
94 
95  /* only v1 is tested at this time */
96  if (version != 1) {
97  ENGINE_SET_EVENT(p,ERSPAN_UNSUPPORTED_VERSION);
98  return TM_ECODE_FAILED;
99  }
100 
101  if (vlan_id > 0) {
102  if (p->vlan_idx >= 2) {
103  ENGINE_SET_EVENT(p,ERSPAN_TOO_MANY_VLAN_LAYERS);
104  return TM_ECODE_FAILED;
105  }
106  p->vlan_id[p->vlan_idx] = vlan_id;
107  p->vlan_idx++;
108  }
109 
110  return DecodeEthernet(tv, dtv, p, pkt + sizeof(ErspanHdr), len - sizeof(ErspanHdr));
111 }
112 
113 /**
114  * @}
115  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:887
len
uint8_t len
Definition: app-layer-dnp3.h:2
decode-erspan.h
ERSPAN_UNSUPPORTED_VERSION
@ ERSPAN_UNSUPPORTED_VERSION
Definition: decode-events.h:203
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:75
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:455
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:482
DecodeERSPANConfig
void DecodeERSPANConfig(void)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:52
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:456
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:707
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
util-unittest.h
decode.h
util-debug.h
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type I.
Definition: decode-erspan.c:64
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
ERSPAN_HEADER_TOO_SMALL
@ ERSPAN_HEADER_TOO_SMALL
Definition: decode-events.h:202
Packet_
Definition: decode.h:428
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:403
suricata-common.h
version
uint8_t version
Definition: decode-gre.h:1
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
ERSPAN_TOO_MANY_VLAN_LAYERS
@ ERSPAN_TOO_MANY_VLAN_LAYERS
Definition: decode-events.h:204
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:664
suricata.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42